How will the changes to PCI DSS affect you?

November 2, 2010

The PCI Security Standards Council have just released version 2.0 of PCI DSS, the Data Security Standard enforced upon all merchants that accept any form of card payments, designed to secure and protect cardholder details. Although introducing only minor alterations, the main intention of the amendment is to provide greater clarity and flexibility for small merchants, facilitating a more comprehensive understanding of the requirements that must be satisfied under PCI DSS and making them easier to implement and abide by.

From a long term perspective, the amendments made are designed to help merchants manage evolving risks and data security threats whilst maintaining alignment with industry best practices. Taking a higher level perspective, the main changes cover:

Reinforcement of the need to conduct thorough scoping exercises, so that merchants can identify exactly where their cardholder data resides in the business.

The need for more effective log management of credit card data within the business.

Allowance for organisations to adopt a more risk based approach when prioritising vulnerabilities, taking into account their specific circumstances.

The acceptance of unique business environments and accommodation of their specific needs.

More specifically Jonathan Lampe, VP of Product Management at Ipswitch File Transfer and representative of the PCI Security Council has identified the 5 key changes that will directly effect the transfer of sensitive credit card data:

Audit of virtual machine infrastructure and virtualisation hypervisors will be brought within the scope of PCI DSS.

Rotation requirements for the purposes of key management will be “based on industry best practices and guidelines” rather than an annual stipulation.

Identity and authentication requirements for users, “non-consumers” and administrators will be split further.

More specific requirements will be implemented around the auditability and security of timekeeping, especially as recorded in audit logs. (Coordinated and reliable timestamps are helpful during civil and criminal investigations as well as internal forensics investigations.)

A further step taken by the PCI council to help small merchants achieve the latest 2.0 PCI DSS changes is the introduction of a small microsite. The implementation life-cycle the of PCI Council’s standards will be extended from the current 2 years to 3 years to give merchants plenty of time to make the necessary changes. The new 2.0 standard will be effective from 1st January 2011, however validation against the previous 1.2.1 standard will be allowed until 31st December 2011.

For more information regarding PCI DSS compliance and how this can be achieve in terms of secure file transfer, please don’t hesitate to contact the team at Pro2col on 0333 123 1240.